File name:

armv4l

Full analysis: https://app.any.run/tasks/fae3db08-03fe-48ab-babe-d3a92dbebb68
Verdict: Malicious activity
Threats:

A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.

Malware Trends Tracker     >>>
Analysis date: August 14, 2025, 17:34:05
OS: Debian 12.2
Tags:
auto
mirai
botnet
Indicators:
MIME: application/x-executable
File info: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
MD5:

71DE43B870D0EB4F565CE1E6728D1736

SHA1:

69C03FDE0C002A64749B0B31E48DB4FB52CDE813

SHA256:

B5C07F28A26F5424F6F07A6DBD48FE3A45DB5AAFB67BB5B4268B7F3A415C89BF

SSDEEP:

1536:koP+kb7IkWqzCihTqD1Lk1MhzluXPscJh6AKlZmk8u0Uqv60Z8:koP+kwkE/D1Lkr6Skj0UoZ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 1260)

    • Executes commands using command-line interpreter

      • sudo (PID: 1263)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 32 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: Arm (up to Armv7/AArch32)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
201
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1259/bin/sh -c "sudo chown user /tmp/armv4l\.elf && chmod +x /tmp/armv4l\.elf && DISPLAY=:0 sudo -iu user /tmp/armv4l\.elf "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
32256
1260sudo chown user /tmp/armv4l.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
1261chown user /tmp/armv4l.elf/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
1262chmod +x /tmp/armv4l.elf/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
1263sudo -iu user /tmp/armv4l.elf/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
32256
1266-bash --login -c \/tmp\/armv4l\.elf/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
32256
1267id -u/usr/bin/idbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
217.79.189.239:123
2.debian.pool.ntp.org
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
446
systemd-timesyncd
134.60.1.30:123
2.debian.pool.ntp.org
whitelisted

DNS requests

Domain
IP
Reputation
2.debian.pool.ntp.org
  • 217.79.189.239
  • 134.60.1.30
  • 85.215.166.214
  • 194.50.19.204
  • 2a02:e00:ffec:9f1::1
  • 2003:a:42b:e400::3
  • 2a01:4f8:150:60c3::2
  • 2a0e:b107:27f9:1011::1
whitelisted
google.com
  • 142.250.181.238
  • 2a00:1450:4001:802::200e
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
armv4l